PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-26 08:39:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

maintenance: allow /partage through gate, fix fragment routing, add visibility table in admin

Browse Source 
Extract shared filepond logic into src/FilepondHandler.php class.
Admin filepond endpoints delegate to the handler after AdminAuth check.
New partage filepond endpoints at /partage/actions/filepond/ verify
share_active session flag + CSRF token, no admin auth required.

JS reads filepond-base meta tag to determine endpoint path:
- Admin pages: /admin/actions/filepond (via head.php isAdmin check)
- Partage form: /partage/actions/filepond (explicit meta)

partage/index.php sets share_active = true on form render, cleans up on
successful submit. Partage process endpoint rate-limited to 30/5min per
session. No nginx changes needed — /partage/ location already handles
PHP without auth_basic.
This commit is contained in:
Pontoporeia
2026-05-12 15:19:32 +02:00
parent da153fc604
commit 6f7a02244f
22 changed files with 15010 additions and 532 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
app/public/admin/actions/filepond/remove.php
View File

@@ -1,6 +1,6 @@
<?php
/**
* FilePond remove endpoint — soft-deletes an already-saved thesis_files row.
* FilePond remove endpoint — soft-deletes a thesis_files row (admin).
*
* DELETE /admin/actions/filepond/remove.php
* Body: JSON { "db_id": 123 }
@@ -10,8 +10,9 @@
require_once __DIR__ . '/../../../../bootstrap.php';
require_once __DIR__ . '/../../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../../src/ErrorHandler.php';
require_once __DIR__ . '/../../../../src/FilepondHandler.php';
// ── Auth (admin only) ────────────────────────────────────────────────────
AdminAuth::requireLogin();
// ── CSRF via header ──────────────────────────────────────────────────────
@@ -22,59 +23,5 @@ if (!isset($_SESSION['csrf_token'])
die('Token CSRF invalide.');
}
// ── Only accept DELETE ───────────────────────────────────────────────────
if ($_SERVER['REQUEST_METHOD'] !== 'DELETE') {
http_response_code(405);
die('Méthode non autorisée.');
}
// ── Parse JSON body ──────────────────────────────────────────────────────
$body = json_decode(file_get_contents('php://input'), true);
$dbId = filter_var($body['db_id'] ?? '', FILTER_VALIDATE_INT);
if ($dbId === false || $dbId <= 0) {
http_response_code(400);
die('ID de fichier invalide.');
}
// ── Look up and soft-delete ──────────────────────────────────────────────
require_once APP_ROOT . '/src/Database.php';
$db = new Database();
$pdo = $db->getConnection();
$stmt = $pdo->prepare('SELECT * FROM thesis_files WHERE id = ?');
$stmt->execute([$dbId]);
$fileRow = $stmt->fetch();
if (!$fileRow) {
http_response_code(404);
die('Fichier introuvable.');
}
// ── Move physical file to _trash/ for recovery ───────────────────────────
$filePath = $fileRow['file_path'] ?? '';
if ($filePath !== ''
&& !str_starts_with($filePath, 'peertube_ids:')
&& !str_starts_with($filePath, 'http://')
&& !str_starts_with($filePath, 'https://')) {
$absPath = STORAGE_ROOT . '/' . $filePath;
if (file_exists($absPath)) {
$trashDir = STORAGE_ROOT . '/tmp/_trash';
if (!is_dir($trashDir)) {
mkdir($trashDir, 0755, true);
}
$trashPath = $trashDir . '/' . basename($filePath);
// Append db_id to avoid name collisions
$trashPath = $trashDir . '/' . $dbId . '_' . basename($filePath);
rename($absPath, $trashPath);
}
}
// ── Soft-delete the row (set deleted_at timestamp) ───────────────────────
// thesis_files may not have a deleted_at column; delete outright for now.
$delStmt = $pdo->prepare('DELETE FROM thesis_files WHERE id = ?');
$delStmt->execute([$dbId]);
http_response_code(200);
exit;
$handler = new FilepondHandler('[filepond:admin]');
$handler->handleRemove();